The ransomware components are stored inside the images as ZIP files, and they aren’t triggered if the user simply accesses their URL via browser. The aforementioned JScript, however, not only downloads the images, but also extracts the hidden malicious components (sync.exe, readme.html, and readme.png), BleepingComputer’s Lawrence Abrams reveals.

The WSF file also creates a Windows scheduled task called Sync. Once the sync.exe file is executed, it starts scanning the victim’s computer for certain file types and encrypts them using AES encryption. The malware encrypts the used AES key with an embedded RSA-4096 public encryption key.

The ransomware targets over 350 file types and appends the .kk extension to them after encryption. The threat skips files located in several folders, namely \windows\, \program files (x86)\, \program files\, \programdata\, \winnt\, \system volume information\, \desktop\readme\, and \$recycle.bin\.

The ransomware demands around $430 to be paid to retrieve the decryption key. The attackers instruct victims to provide them with the key file after paying the ransom to receive a decrypter. The email addresses used as part of the analyzed attack include [email protected], [email protected], and [email protected].

The distribution of this ransomware is highly effective because of its ability to bypass detection. According to Abrams, only one of the 58 vendors in VirusTotal could detect the malicious images at the time of analysis. Sync.exe, on the other hand, had a detection rate of 28 out of 63.

To stay protected, users should pay extra care when opening attachments or clicking on URLs in emails received from unknown sources. They should also keep their files backed up at all times, to ensure they can recover their data without having to pay a ransom. Keeping all software on the machine updated at all times should decrease the chances of becoming infected.